[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17623124#comment-17623124 ] Konrad Windszus commented on SLING-11538: - Fixed in * https://github.com/apache/sling-org-apache-sling-scripting-sightly/commit/d677bfad1c040aaa439fa3be2d4828d37da4d5f5 (impl) * https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/commit/99729b8a62f86fd663e989a19a5a5f4c37162c8d (IT test content) * https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing/commit/ff9b75c66a8557fa2e78941a46f82734009e8e58 (IT) > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17612562#comment-17612562 ] Konrad Windszus commented on SLING-11538: - [~radu] I enhanced the test content in https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/pull/7/commits/42151fff3ed850d61d4698dcd5fdc5afafd3c025 to illustrate a concrete use case. > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 40m > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17597868#comment-17597868 ] Konrad Windszus commented on SLING-11538: - The use case is inline JSON in HTML. Writing that in Java methods is for sure possible but breaks the model/view separation from my PoV. The JSON can be generated far easier in HTL if just that missing context is added. I am gonna improve the test case to show a more realistic scenario where the same getter method is used in both regular HTML and in inline JSON values. > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 40m > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17597629#comment-17597629 ] Radu Cotescu commented on SLING-11538: -- [~kwin], what's the use case? The [test you added|https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/pull/7/files#diff-05f462b0429b9368cac540b6f079b6e8fb3e3f85b828a8be2e95dde9b8cc8e2c] doesn't help me understand it. Why can't you output JSON using a specialised JSON library? > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 40m > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17579256#comment-17579256 ] Konrad Windszus commented on SLING-11538: - [~castelo] Commons Lang3 is already an existing dependency of the HTL Engine bundle, while Commons Text is not. Also Commons Text does not ship e.g. with AEM 6.5. As I consider the underlying code pretty stable (and for sure upwards compatible till Commons Lang 4 appears) I would rather stay with the deprecated Commons Lang3 implementation for the time being. bq. Also, I think will be good to wrap the output with xssApi.getValidJson() to ensure the result is correct I don't think that we need another XSS protection for JSON String but rather for a dedicated context encapsulating the full JSON structure. I cannot think of a XSS scenario with properly escaped JSON strings only. Feel free to raise a new issue for a display context for the full JSON. Unfortunately {{XSSApi.getValidJson()}} cannot be used for such a context (as that just returns the second argument in case JSON is invalid), but rather requires a library like https://github.com/OWASP/json-sanitizer. > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17579254#comment-17579254 ] Pablo Castelo commented on SLING-11538: --- [~kwin] I did some tests yesterday with StringEscapeUtils and it works fine but is deprecated, maybe use the new version that is also available in a sling instance as a bundle [https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html.|https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html] I didn't try yet, but the possible method will be [https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html#escapeEcmaScript(java.lang.String)] Also, I think will be good to wrap the output with xssApi.getValidJson() to ensure the result is correct > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Engine 1.4.22-1.4.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17578978#comment-17578978 ] Konrad Windszus commented on SLING-11538: - As implementation one could either write such an escape method from scratch or use the JSON-P Standard ([https://javaee.github.io/jsonp/).|https://javaee.github.io/jsonp/)] > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Runtime 1.2.8-1.4.0 > > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[ https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17578976#comment-17578976 ] Konrad Windszus commented on SLING-11538: - The JSON spec ([https://www.ecma-international.org/wp-content/uploads/ECMA-404_2nd_edition_december_2017.pdf]) says the following for chapter 9 (String): {quote}A string is a sequence of Unicode code points wrapped with quotation marks (U+0022). All code points may be placed within the quotation marks except for the code points that must be escaped: quotation mark (U+0022), reverse solidus (U+005C), and the control characters U+ to U+001F. There are two-character escape sequence representations of some characters. \" represents the quotation mark character (U+0022). represents the reverse solidus character (U+005C). \/ represents the solidus character (U+002F). \b represents the backspace character (U+0008). \f represents the form feed character (U+000C). \n represents the line feed character (U+000A). \r represents the carriage return character (U+000D). \t represents the character tabulation character (U+0009). So, for example, a string containing only a single reverse solidus character may be represented as " ". Any code point may be represented as a hexadecimal escape sequence. The meaning of such a hexadecimal number is determined by ISO/IEC 10646. If the code point is in the Basic Multilingual Plane (U+ through U+), then it may be represented as a six-character sequence: a reverse solidus, followed by the lowercase letter u, followed by four hexadecimal digits that encode the code point. Hexadecimal digits can be © Ecma International 2017 5 digits (U+0030 through U+0039) or the hexadecimal letters A through F in uppercase (U+0041 through U+0046) or lowercase (U+0061 through U+0066). So, for example, a string containing only a single reverse solidus character may be represented as "\u005C". The following four cases all produce the same result: "\u002F" "\u002f" "\/" "/" To escape a code point that is not in the Basic Multilingual Plane, the character may be represented as a twelve-character sequence, encoding the UTF-16 surrogate pair corresponding to the code point. So for example, a string containing only the G clef character (U+1D11E) may be represented as "\uD834\uDD1E". However, whether a processor of JSON texts interprets such a surrogate pair as a single code point or as an explicit surrogate pair is a semantic decision that is determined by the specific processor. Note that the JSON grammar permits code points for which Unicode does not currently provide character assignments. {quote} > Add display context for JSON string > --- > > Key: SLING-11538 > URL: https://issues.apache.org/jira/browse/SLING-11538 > Project: Sling > Issue Type: Improvement > Components: HTL >Reporter: Konrad Windszus >Priority: Major > Fix For: Scripting HTL Runtime 1.2.8-1.4.0 > > > It would be useful to add an output context to HTL to be used inside JSON. As > JSON is very complex, the most essential one which currently cannot be > achieved with any other existing contexts is escaping for a JSON String value > (compare with https://github.com/adobe/htl-spec/issues/5). > I propose to introduce a new context {{jsonString}} next to {{scriptString}} > in > https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93. > As it is not part of the official HTL spec at > https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context > it needs to be listed as Sling-specific addition in > https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification. -- This message was sent by Atlassian Jira (v8.20.10#820010)